Knowledge Base

Using the Symantec W32.Nimda.A@mm Virus Removal Tool Affects the Sysvol and Netlogon Share Permissions

Article ID: 312031

Article Last Modified on 10/30/2006

APPLIES TO

Microsoft Windows 2000 Server

This article was previously published under Q312031

SYMPTOMS

When you use the Symantec W32.Nimda.A@mm virus removal tool on a domain controller, the share permissions for shares such as Sysvol and Netlogon may be changed from the default share permissions.

The application log may display the following error message about Event ID 1000:

Event Type:
Error Event Source:
Userenv Event Category: None
Event ID: 1000
Date: date
Time: time
User: NT Authority\System
Computer: computer
Description: Windows cannot access the registry information at \\domain\Sysvol\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\computer\Registry.pol with (5). Access denied.

CAUSE

This behavior can occur because the virus removal tool restricts access for viewable shares. The Symantec Web site for this virus states that the tool performs the following actions on all viewable shares:

Returns shared drives and folders to default security settings.
Makes administrative shares accessible only to administrators.
Resets the access permission for publicly-named network shares from Everyone [Full Control] to members of the Administrator group [Full Control].

The tool does not remove the shares themselves but does restrict access to the shares. The SYSTEM account then cannot use the Sysvol share to propagate some group policies, which generates the "Access denied" error and resets all share permissions for file servers and domain controllers.

RESOLUTION

To resolve this behavior, on Microsoft Windows 2000 Server-based domain controllers, reset the share permissions for the %SystemRoot%\SYSVOL\Sysvol folder to the following default permissions:

Administrators - Full Control
Authenticated Users - Full Control
Everyone - Read

If other shares are affected, you must also set permissions for those shares back to their previous settings.

The file permissions for the Sysvol folder may or may not be affected. Their default settings are as follows:

Administrators - Full Control
Authenticated Users - Read, Read and Execute, and List Folder
System - Full Control
Server Operators - Read, Read and Execute, and List Folder

These permissions are set for the %SystemRoot%\SYSVOL folder and are marked as inherited (they are checked but dimmed) for the %SystemRoot%\SYSVOL\Sysvol folder.

MORE INFORMATION

The following Symantec Web site is the source of the preceding information about the W32.Nimda.A@mm virus removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

For additional information about the default NTFS file system permissions for other folders, click the article number below to view the article in the Microsoft Knowledge Base:

244600 Default NTFS Permissions in Windows 2000

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For information about how to contact Symantec, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z

Additional query words: antivirus Winnt

Keywords: kb3rdparty kberrmsg kbnetwork kbprb kbsectools kbsecurity KB312031

Microsoft KB Archive/312031

Contents